Every application deployed in WAF-as-a-Service is assigned an IP address internally. By default, the IP address is shared between multiple applications in an account. The other deployment option is to use a dedicated IP address for each application. To assign a dedicated IP for your application, see How to Change Shared IP to Dedicated IP.
Shared IP
The shared IP address assignment will result in the following:
Traffic with valid/correct domain names (defined in the Endpoints page) will be processed and secured. Access to applications that do not have the DNS name associated will not be processed and the traffic will be dropped.
- You will not be able to define non-standard protocol and port combinations; for example:
- On ports 80 or 8080, which are typically associated with HTTP, you will not be able to define HTTPS endpoints.
- On ports 443 or 4443, which are typically associated with HTTPS, you will not be able to define HTTP endpoints.
- The IP addresses allocated in the Barracuda WAF-as-a-Service infrastructure can get changed without notice during regular maintenance or due to failovers. These changes will not cause any traffic disruption.
Applications should be configured with the standard protocol and port combination. The Barracuda WAF-as-a-Service provides the list of standard ports that can be used when configuring the application:
| Protocol | |
|---|---|
| HTTP/Redirect | HTTPS |
21,22,40,80,81,82,87,88,89, | 83,440,443,444,445,446,1415,3011, |
Precaution for Unintended Traffic Disruption with Shared IP
- Ensure all application Endpoints include all domain names that you are using to process traffic to your application.
- Ensure you do not have more than one application with the same domain name. If multiple applications in your account have the same domain name, traffic for that domain will be sent to the configured CNAME.
- If you have endpoints using non-standard ports, such as port 80 for HTTPS instead of HTTP, adjust them to use standard ports.
- Ensure all your DNS records are updated as recommended on your Endpoints page. Specifically, do not use A records instead of CNAME records, as those will not be automatically updated to use the new IPs and will stop working starting in 30 days.
- If you need to set A records for apex domains, see Apex Domains in Barracuda Campus.
- If you need to set A records for DNSSEC, Contact Barracuda Networks Technical Support for configuration details.
Dedicated IP
A dedicated IP address is an IP address assigned only to a single application and is not shared with other applications or used by other applications. You can assign a dedicated IP to an application if the:
- Application has a wildcard domain.
- Transparent TCP Proxy feature is enabled.
- Applications are deployed/configured with custom ports.
- If the application is created with only one domain, and sub-domains are using DNS mapping to CNAME. Traffic to subdomains can only be accessible if the application is assigned a dedicated IP address.
How to Change Shared IP to Dedicated IP
- On the WAF-as-a-Service web interface, go to the APPLICATIONS tab and select the application for which you want to assign the dedicated IP.
- Select ENDPOINTS in the left panel.
- On the Endpoints page, click Edit in the IP Addressing section.
- In the Edit IP Addressing window, enable Allocate a dedicated IP Address to this application and click Save.
- After the update is successful, a dedicated IP is assigned to the application.